Skygofree — a Hollywood-style mobile spy

Most Trojans are basically the same: Having penetrated a device, they steal the owner’s payment information, mine cryptocurrency for the attackers, or encrypt data and demand a ransom. But some display capabilities more reminiscent of Hollywood spy movies.

We recently discovered one such cinematic Trojan by the name of Skygofree (it doesn’t have anything to do with the television service Sky Go; it was named after one of the domains it used). Skygofree is overflowing with functions, some of which we haven’t encountered elsewhere. For example, it can track the location of a device it is installed on and turn on audio recording when the owner is in a certain place. In practice, this means that attackers can start listening in on victims when, say, they enter the office or visit the CEO’s home.

Another interesting technique Skygofree employs is surreptitiously connecting an infected smartphone or tablet to a Wi-Fi network controlled by the attackers — even if the owner of the device has disabled all Wi-Fi connections on the device. This lets the victim’s traffic be collected and analyzed. In other words, someone somewhere will know exactly what sites were looked at and what logins, passwords, and card numbers were entered.

The malware also has a couple of functions that help it operate in standby mode. For example, the latest version of Android can automatically stop inactive processes to save battery power, but Skygofree is able to bypass this by periodically sending system notifications. And on smartphones made by one of the tech majors, where all apps except for favorites are stopped when the screen is turned off, Skygofree adds itself automatically to the favorites list.

The malware can also monitor popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp. In the latter case, the developers again showed savvy — the Trojan reads WhatsApp messages through Accessibility Services. We have already explained how this tool for visually or aurally impaired users can be used by intruders to control an infected device. It’s a kind of “digital eye” that reads what’s displayed on the screen, and in the case of Skygofree, it collects messages from WhatsApp. Using Accessibility Services requires the user’s permission, but the malware hides the request for permission behind some other, seemingly innocent, request.

Last but not least, Skygofree can secretly turn on the front-facing camera and take a shot when the user unlocks the device — one can only guess how the criminals will use these photos.

However, the authors of the innovative Trojan did not dispense with more mundane features. Skygofree can also to intercept calls, SMS messages, calendar entries, and other user data.

The promise of fast Internet

We discovered Skygofree recently, in late 2017, but our analysis shows the attackers have been using it — and constantly enhancing it — since 2014. Over the past three years, it has grown from a rather simple piece of malware into full-fledged, multifunctional spyware.

The malware is distributed through fake mobile operator websites, where Skygofree is disguised as an update to improve mobile Internet speed. If a user swallows the bait and downloads the Trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. Depending on the response, it can download a variety of payloads — the attackers have solutions for almost every occasion.

Forewarned is forearmed

To date, our cloud protection service has logged only a few infections, all in Italy. But that doesn’t mean that users in other countries can let their guard down; malware distributors can change their target audience at any moment. The good news is that you can protect yourself against this advanced Trojan just like any other infection:

Install apps only from official stores. It’s wise to disable installation of apps from third-party sources, which you can do in your smartphone settings.

If in doubt, don’t download. Pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions — any of these things should raise flags.

Install a reliable security solution — for example, Kaspersky Internet Security for Android. This will protect your device from most malicious apps and files, suspicious websites, and dangerous links. In the free version scans must be run manually; the paid version scans automatically.

We recommend that business users deploy Kaspersky Security for Mobile — a component of Kaspersky Endpoint Security for Business — to protect the phones and tablets employees use at work.